copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2015.0002 - [UNIX/Linux][Debian] mime-support: Execute arbitrary code/commands - Remote with user interaction

Date: 05 January 2015

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2015.0002
                       mime-support security update
                              5 January 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           mime-support
Publisher:         Debian
Operating System:  Debian GNU/Linux 7
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2014-7209  

Original Bulletin: 
   http://www.debian.org/security/2014/dsa-3114

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than Debian. It is recommended that administrators 
         running mime-support check for an updated version of the software 
         for their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

- - -------------------------------------------------------------------------
Debian Security Advisory DSA-3114-1                   security@debian.org
http://www.debian.org/security/                      Salvatore Bonaccorso
December 29, 2014                      http://www.debian.org/security/faq
- - -------------------------------------------------------------------------

Package        : mime-support
CVE ID         : CVE-2014-7209

Timothy D. Morgan discovered that run-mailcap, an utility to execute
programs via entries in the mailcap file, is prone to shell command
injection via shell meta-characters in filenames. In specific scenarios
this flaw could allow an attacker to remotely execute arbitrary code.

For the stable distribution (wheezy), this problem has been fixed in
version 3.52-1+deb7u1.

For the upcoming stable distribution (jessie) and the unstable
distribution (sid), this problem will be fixed soon.

We recommend that you upgrade your mime-support packages.

Further information about Debian Security Advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://www.debian.org/security/

Mailing list: debian-security-announce@lists.debian.org
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCgAGBQJUoRjVAAoJEAVMuPMTQ89EM5QP/i6t0pWi9fMAAtBlHRKtpSXA
ouaNIeHtDduyL4Rr7+KR3/b+GqIBWaQ41sNCFLMheTrg2ugiwQRu03MM7iihrHIi
T+UmG42XEgRchNNpwQzTR3KmgANwmWKTCACRE83W1PKBfNZqDO2suzdrEg6G7wBE
ToEqgx4qNeToEJHCAW6k9tHLE7HS7dot+9Xg5mGOYxoqBj0ZZTWCR8MOOXYLx70j
Y50fcoL4+oWhkleA9ZiKJjBD1WRnbSFPhjPovxrLwph95azhuv0ZlToD/4c8FEPz
obGpYzhiR+tg8BZztVFWuL9B9LSZ31rn4+D4NVGbm0C9Z176GlWzfW13a4kuTLNP
eO+ZLOf9ss0WnSstm/aSzwooANbsi2MGRsM7XLoJec5Z9UItaexYpmjpNiwZpjbd
sXifVoi9DsR2uhuxYy4eye7luigzyqrK9lCYy4jcmZVRR7WidYp9+ydmFA1tuY5K
6/MsO2+nB0u7DGfAf29vDHwf4heAfQWn8VY4gv1DtQgYEP95gu7Iwn3Inshpjc0f
UF0s2RXVSOgJvhlUWMcALwJd1e60ppIr+gLdva51hsz8sl0klL1zY4i+05moHuvt
wdWr5pDgPhHkYrn1YybtjNwoa5CMMnfLBdx2hkq48FCwZQjWQE8nruYLQTqDWWg2
Pg/PlEzNjBuBgPqgXyJU
=+ny2
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVKnOgRLndAQH1ShLAQJTohAAjj8wLX6ux6lMuSCVUqn9x6GMrJdTKgLU
4HRp8W057BN2tHAX//GBW4AEn1WmGQywzVnCDg4Q2DeVyKJ3D3jOA2YLn4jLHJXb
n5pOuhzKM3tJVvtoFfmlJVpN9AcW897i41FFPujNPqETPCDpDmFMVuhAiXe8zCZG
B8LlV/uSxGs0Ji0jC2eQQMihGPRlLVhRkcT33MwLCOTZkCXdzCOKDZUUa2I6ZR39
Kf7zeK63oDwmSKM8kI9MpWg0KHT9nKAy2m8mOy4f260tzD8yHXvlaSLnOrFruqw0
la0il+uP8VzaEocJWThkWGH32Z6p8ncjq4sdgrDSByAMyDI7RX7+jAjZ9jZkuVy8
5WIBEMhVejjsofcfIT/txIHmUoFUbY/OVeR0QPsALoSasTyWjEggw0AbR069B3Yk
d/zlAbJtNKTb36EVjMgKEfHlUB0iAxJ7jFWzAKGObP72JULqq4ZWBQKrDu3NU/9b
cvzL8DoTECC+g37+azduQ1f3EBz4+joByQahr9CXzzmaWixe1rZi8tv5fAsEYbvJ
tqbjkB7W+z4Poqriig3ow+Xr7WLp/4EwYGeN7KL338BlOWXOXJLRRn8c+F3rP8uH
jp5euKltpYKN3dldczCw9Pd/pdvhHmTfwE21+iabIMhCmmgJzH3oQfJOvfqnhiU/
H8HjEe3Pnvc=
=li//
-----END PGP SIGNATURE-----